Since no vehicle was identified that could naturally and repeatedly reproduce large throttle opening UA effects for forensic evaluation, the NESC team applied a top-down systems engineering approach to explore the critical functions in the electronic control, how the system might defend against failures, and if the system had vulnerabilities.

The ETSC-i architecture was decomposed into 6 critical functional areas each with their own control loop. These control loops included safety features providing defenses against many hardware and software failure causes such as transistor latchup, electromagnetic interference, shorts, opens, single event upsets, memory failures, software glitches, etc.

NASA analysis and testing did not find evidence that malfunctions in the electronic throttle control caused large unintended accelerations, as described by some consumer reports.

The top down methodology was able to disposition failure causes based on the architecture of the system. As space, aircraft and automobile systems become more interactively complex defying our ability to predict specific failure causes and their system level effects, the functional failures threatening safety and mission success need to be understood and mitigated at the system level where all the individual parts and pieces interact.

Biography:

Mike Bay -
Over the last 34 years Mike Bay has served on the development teams for many of GSFC's flight projects. He is a member of the NESC Avionics Technical Discipline Team and participated in the study of untended acceleration in a systems engineering role.

Mike Kirsch -
Mike Kirsch is a Principal Engineer in the NASA Engineering and Safety Center. He served as the project manager for the NESC study to determine if there are design and implementation vulnerabilities in the Toyota Electronic Throttle Control System (ETCS-i) that could cause unintended acceleration under consumers’ use of the vehicle.